agile and secure development
TRANSCRIPT
How security process looks in reality
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of
security
defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
TIME to FIX
How it should look like
With proper Security Program number of
security defects should decrease from phase
to phase
Automated security
Tests
CIintegrated
ManualSecurity/penetration
Testing
OWASP methodology
Secure
Codingtrainings
RegularVulnerability
Scans
Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during current state of the project
Primary Benefits
Why code analysis do not resolve all problems?
Many of the CWE vulnerability types, are design issues, or business logic issues.
Application security testing tools are being sold as a solution to the problem of
insecure software.
55%45%
Ability of Security Tools to identify real vulnerability
Not Covered Claimed Coverage
13
Tools – At Best 12%
• MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695)
• They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)
• Based on this new data from the CSA at the NSA, SAST has 12% vulnerability coverage
MITRE's study
Security Tooling – No Silver Bullet
Design Flaws Security Bugs
1. Occur during the architecture phase
2. High level
3. More expensive to remediate – requires
architectural changes
4. Requires human analysis to uncover
5. Logical defects
6. Rights separation
7. Complex attack vectors
8. Defects in architecture and design
9. Real Cryptography level
1. Occur curing the code phase
2. Code level - Looking for known, defined
and predictable patterns
3. Cheaper to remediate – requires code
changes
4. Can be identified using automated tools
Can be resolved by:
SoftServe Expert
Can be resolved by:
Security Tool (Veracode, IBM Appscan,,
HP Fortify SCA
Both security tooling and security assessments are required to address both types of vulnerabilities
QA Engineer Security Analyst
In functional and performance testing,
the expected results are documented
before the test begins, and the quality
assurance team looks at how well the
expected results match the actual results
In security testing, security
analysts team is concerned
only with unexpected results
and testing for the unknown
and looking for weaknesses.
VS.
Manual Pen testing
Manual penetration testing adds the benefit of specialized human expertise to our
automated static and dynamic analysis — and it uses the same methodology cyber-
criminals use to exploit application weaknesses such as business logic vulnerabilities.
Manual Penetration Testing involves one or more security experts performing tests
and simulating “in the wild” attacks. The goal of such testing is to determine the
potential for an attacker to successfully access and perform a variety of malicious
activities by exploiting vulnerabilities, either previously known or unknown, in the
software.
The results of this review will help strengthen the established security controls,
standards, and procedures to prevent unauthorized access to the organizational
systems, applications, and critical resources. As a result of SoftServe tests, the
SoftServe will prepare detailed work papers documenting the tests performed, a
report of SoftServe findings including recommendations for additional security
controls as required.
SoftServe MPT is designed to compliment and extend an automated assessment
Agile Secure Development Lifecycly
•Every-Sprint practices: Essential security practices that should be performed in every release.
•Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime.
•One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.
Integrated Security process
Build
• Build code with special debug options
Deploy
• Pack build and code
• Deploy app to VM for test
Test Security
• Run code test
• Run Test dynamic web application from VM with security tools
Analyze
• Collect and format results
• Verify results
• Filter false positive / negative
• Tune scanning engine
• Fix defects
High level vision
Dynamic Security testingStatic Code Analysis
CI tools
Deploying application
Security Reports
Pull source code
Real project view
Dynamic Security testing
CI tools
Deploying application
Security Reports
Pull source code
We have best tools…IBM AppScan
license
Burp Suite
license
HP Fortify
certification
Partnership
with Veracode
Available SaaS
SoftServe offer
• Certified security experts to control security on
project
• SoftServe utilize different set of tools to ensure
coverage (IBM, Veracode, PortSwinger, OpenVAS)
• Regulars scans that could be integrated to CI
• Education and Case study based on defect severity
for Dev and QA stuff
• Following Secure SDLC practices
• And many more
Annual development expense cost savings
Application
Development
Cost Savings
Vulnerability
Remediation Cost
Savings
Compliance & Pen
Testing Cost Savings
Application
Outsourcing Pay for
Performance
Streamline & minimize remediation costs for application development by identifying /fixing vulnerabilities at their origin
Lower costs associated with compliance testing fees and penetration testing
Decrease 3rd party development fees by incenting software security performance
The Benefit of SoftServe Internal Testing vs. 3rd Party
SoftServe Internal Testing 3rd Party Scan
1. Finds issues large and small
2. Reports and resolves issues
directly to development
3. Objective
4. Credentialed
5. Industry standard toolset
1. Finds issues large and small
2. Reports issues to managers
3. Objective
4. Credentialed
5. Industry standard toolset
6. Can be scheduled any time
7. Keeps up with the 2 week
development cycle
8. Regular QA and Dev Team
trainings
The Benefit of SoftServe Security Testing vs. 3rd Party
Benefit/Feature Description
Easy to start • Low initial cost
• Leverage internal resources to defray additional expense
• Maximizes assistance
• Maximizes internal resources and ongoing efforts
Provide more
actionable
information
• Focus on what really matters
• Validate your own internal processes and test procedures
Improve security
knowledge
• Security expertise within the solution
• Can assist in keeping test plans up to date
• Assist in validation of fixed items
• Stay on top of testing regression issues and new features
Increase technology
coverage
• Assurance in testing the latest technologies for the latest
vulnerabilities
• Increasing the speed and efficiency of building security into a
development lifecycle
Value
20-40% time for testing/re-testing decrease
Catch problems as soon as possible
Avoid repetitive security issues
Improve Security Expertise/Practices for current Team
Automation, Integration, Continuously
Proactive Security Reporting
Full coverage
After build succeed we pack app to transfer it to Security testing tool
We are able to detect line of bugged code
Thank you!
Thank You!Copyright © 2014 SoftServe, Inc.
Europe Headquarters
52 V. Velykoho Str.
Lviv 79053, Ukraine
Tel: +380-32-240-9090
Fax: +380-32-240-9080
E-mail: [email protected]
Website: www.softserveinc.com
US Headquarters
12800 University Drive, Suite 250
Fort Myers, FL 33907, USA
Tel: 239-690-3111
Fax: 239-690-3116
E-mail: [email protected]
Website: www.softserveinc.com